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(57) Abstract 

A method of, and apparatus for, pro- 
tecting a computer program from copying or 
propagation to other computer environments 
is provided in which an original executable 
program is encrypted by an encryption pro- 
gram compiler (42) into one or more en- 
crypted program sections (45, 46), on execu- 
tion program (61) for producing a decrypted 
: mage of the original executable program is 
compiled by an execution program compiler 
(60). an installation program (51) arranged 
to interact with the execution program (61) 
is compiled by an installation program com- 
piler (50), and the arrangement is ouch that 
the execution program (61) includes at least 
one encrypted section (45) of the original ex- 
ecutable program whereby the decrypted im- 
age of the original executable program can 
only be run in a target environment which 
has been installed with the execution pro- 
gram (61) and the installation program (51). 
The apparatus may also include a distribution 
program compiler (80) to compile a distribu- 
tion program (81) for installing the installa- 
tion program and execution program in the 
target computer environment. When the ex- 
ecution program is run in the target environment it rebuilds the original executable program in a controlled manner which helps to provide 
protection from viruses. The program compilers (40, 50, 60 and 80) may make use of random or pseudo-random data from a random 
data generator (30) and configuration data (22) with the installation, execution and distribution programs being tailored to particular target 
environments and/or to the source environment. Further features of the invention include the use of self-destructive programs and alias 
names for further security. 
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METHODS AND APPARATUS FOR PROTECTION OF EXECUTABLE 
PROGRAMS, LIBRARIES AND DATA 

This invention relates to the protection of computer programs. It is 
particularly, but not exclusively, concerned with protecting executable programs, 
5 dynamic link libraries and data included in computer programs from unauthorised 
use or copying thereof. 

Modem computer software is frequently supplied in a form which can 
readily be copied. The absence of means of protection has hitherto had a major 
effect on software development and its distribution. It is therefore desirable to 
10 provide a means of protecting software whereby the software may be executed in 
a particular target computer environment in such a manner that it cannot be 
propagated to further computer environments. 

It is also desirable to provide a method of, and apparatus for, manufacturing 
computer programs which enables the programs to be distributed with an acceptable 
15 level of security. 

It is further desirable to provide a system for protecting computer programs 
in which the propagation of viruses is substantially reduced. 

According to a first aspect of the invention, there is provided a method of 
protecting a computer program from copying comprising the steps of: 
20 encrypting an original executable program to produce an encrypted version 

of said original executable program; 

compiling an execution program for producing a decrypted image of the 
original executable program from said encrypted version of the original executable 
program; 

25 providing installation means for installing the execution program and said 

encrypted version of the original executable program into a target environment, 

wherein the execution program includes at least one section of said encrypted 
version of the original executable program and the decrypted image of the original 
executable program can only be run in a target environment which has been 
30 installed with said execution program by said installation means. 

For some applications, the execution program may include an entire 
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encrypted version of the original executable program, but more conveniently the 
execution program incorporates only an encrypted section of the original executable 
program, with remaining sections of the original executable program being 
distributed to a user. In the latter case, since at least one section of the original 
5 executable program is included in the execution program, an unauthorised person 
who only obtains access to the remaining sections is prevented from reconstructing 
the original executable program. The remaining program sections may be 
unencrypted, but preferably they are partially or wholly encrypted for greater 
security. 

10 The installation means preferably includes an installation program which 

interacts with or incorporates part or all of the execution program whereby the 
installation program is arranged to create a modified execution program capable of 
reconstructing an image of the original executable file from the encrypted program 
section or sections. For further security, the installation program may be arranged 

15 to be self-destructive or to be destroyed while it is run once to create the modified 
execution program. 

The installation means may include a distribution program configured to 
install the installation program and execution program in a target computer 
environment. 

20 The installation means, execution program and encrypted executable program 

may be distributed to users by any convenient means, for example either 
individually or collectively on data storage media such as disks, read-only memory, 
CD-roms, or by transmission media such as by satellite or radio-transmission or 
fibre optic cable. 

25 The execution program, the installation program and/or the distribution 

program may include configuration data relating to the target environment in which 
the execution program is to be run and/or to the media used to distribute the 
programs to users. The present invention therefore provides a versatile system in 
which the distribution of executable programs to users can be controlled with the 

30 installation means being tailored to the target environment in which the executable 
program is to be run and/or to the source environment for supplying the programs 
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to users. 

According to a second aspect of the invention, there is provided apparatus 
for manufacturing encrypted software comprising encryption means to encrypt an 
original executable program to produce an encrypted version of the original 
5 executable program; execution program compilation means to compile an execution 
program for decrypting said encrypted version of the original executable program; 
installation program compilation means to compile an installation program for 
installing the execution program and said encrypted version of the original 
executable program in a target computer environment; wherein the installation 
program is arranged to interact with the execution program in such a manner that 
the execution program is not able to decrypt said encrypted version of the original 
executable program to produce a useful decrypted image of the original program 
unless the installation program has been run in the target computer environment. 
Preferably, the apparatus for manufacturing the encrypted software comprises 
a computer which includes encryption compilation means to produce an encryption 
program for encrypting data from the original program to produce one or more 
encrypted program sections. At least one of said encrypted program sections may 
be input to the execution program compilation means to be included in the 
execution program. 

In one form of the invention, the entire encrypted version of the original 
executable program may be input to the execution program compilation means to 
be included in the execution program. Alternatively, one or more of encrypted 
program sections may be included in the execution program with at least one 
further program section being stored in a file of program sections. 

The encryption program compilation means preferably uses random or 
pseudo-random data produced by a random data generator in order to encrypt the 
program sections. As used herein, the term "encryption" encompasses within its 
scope encoding, expansion or compression such that subsequent decoding, 
compression or expansion is required to produce the executable decrypted image of 
the original program. 

The encryption program compilation means may also use configuration data 
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from a configuration data file relating to the specific media source used to distribute 
the software, to the target computer environment in which the section or sections 
of the encrypted executable program are to be installed and/or relating to the 
particular application of the original executable program. The encryption program 
5 compilation means therefore produces an executable encryption program which is 
specific to the application of the original program and/or its intended environment, 
and when the encryption program is run, it produces an output specific to the 
application. The installation program compiler and/or the execution program 
compiler may also make use of random data or pseudo-random data produced by 
0 the random data generator and/or configuration data to produce the installation and 
execution programs respectively. 

The encryption program compilation means is preferably adapted to update 
the configuration data when it produces said at least one encrypted program section. 
Similarly, the execution program compilation means may be adapted to update the 
5 configuration data when it compiles the execution program. The execution program 
compiler and the installation program compiler can therefore make use of 
information created by the encryption program in order to create an execution 
program and an installation program respectively, each of which is unique to the 
particular application of the original program. 

The output of the execution program compilation means is preferably used 
as input to the installation program compilation means so that the execution 
program or an encrypted version thereof may be incorporated within the installation 
program. 

The apparatus preferably also includes distribution program compilation 
means to compile a distribution program for installing the installation program and 
execution program in the target computer environment. The distribution program 
compilation means may make use of configuration data, preferably after it has been 
updated by the encryption, execution and installation programs, in order to create 
a distribution program which is unique to the particular application of the original 
program. 

The installation and execution programs and, when provided, the files of 
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encrypted program sections are made available for distribution to an end user for 
installation on the target computer, but the encryption program remains with the 
manufacturer and is not intended to be distributed to the user. The installation 
program and the distribution program may be distributed to the user separately from 
5 each other and from the file of encrypted program sections. Alternatively, the 
installation program, the execution program and, when provided, the file of 
encrypted program sections may be supplied to the user together, for instance on 
a common program storage means such as an installation disk, or by any convenient 
kind of transmission media. 
1 0 According to a further important aspect of the invention, there is provided 

a self-destructive installation program, which is adapted to interact with an 
execution program to enable the execution program to read at least one encrypted 
program section of an original executable program to produce a decrypted image 
of the original program for utilization in a target computer environment, wherein 
15 the installation program is arranged to destroy itself while it is run once. After the 
installation program has been run and destroyed itself, it can no longer be 
propagated elsewhere. Furthermore, the file of encrypted program sections and the 
execution program are protected from being copied to, and used in, other computer 
environments since the execution program requires the installation program to 
20 enable it to produce a useful decrypted image of the original program. Also, at 
least one section of the encrypted original executable program and any related 
routines upon which it depends for satisfactory operation may be arranged to be 
internally self-destructive or to be destroyed or modified by the execution program 
while it is run in the target environment. 
25 In accordance with another desirable feature of the invention, there is 

provided an execution program for decrypting encrypted program sections of an 
original executable program wherein the execution program is arranged to execute 
the decrypted image of the original program under an alias name. The 
reconstructed original executable program under the alias name may be arranged 
30 to be destroyed by the execution program or may itself be self-destructive providing 
security against the decrypted image of the original program and its execution 
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program being copied and used in another computer environment. 

When the execution program is run in the user environment it rebuilds the 
original executable program by decrypting and re-assembling its various component 
sections. In this manner viruses which are added to any component will be 
5 excluded from the reconstruction and non-genuine components will result in failure 
to execute. 

When the execution program is arranged to process program sections of the 
original program, it may modify, save or temporarily destroy some or all of those 
sections, for subsequent reinstatement. This controlled execution of the decrypted 
10 image of the original program helps to provide protection from infections, such as 
viruses, which do not appear when the program sections are re-instated. 

A preferred embodiment of the present invention, will now be described, by 
way of example only, with reference to the accompanying drawings, in which: 

Figure 1 is a schematic block diagram of computing apparatus for 
15 manufacturing encrypted software in accordance with the invention; 

Figure 2 is a schematic flow chart showing the apparatus and procedures for 
the installation and use of the encrypted software; 

Figure 3 is a block diagram of a process for generating pseudo-random data 
which may be used in the apparatus of Figure 1 ; 
20 Figure 4 is a block diagram of a data conversion process for converting 

binary data to text format which may be used in the apparatus of Figure 1; 

Figures 4a and 4b are block diagrams showing similar data conversion 
routines which may be used in the apparatus of Figure 1 ; 

Figure 5 is a block diagram of the process used to compile the programs in 
25 the apparatus of Figure 1; 

Figure 6 is a block diagram showing how the encryption program is run to 
produce encrypted program sections; 

Figure 7 is a block diagram showing the process used to run the installation 
program in a target computer; 
30 Figure 8 is a block diagram showing the process used to run the execution 

program in the target computer; 
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Figure 9 is a block diagram similar to that of Figure 1 showing a modified 
embodiment of apparatus in accordance with the invention; 

Figure 10 as a flow chart similar to that of Figure 2 showing the apparatus 
and procedure used for installing encrypted software produced by the apparatus of 
5 Figure 9. 

The apparatus for manufacturing encrypted software shown in Figure 1 
comprises a manufacturing computer 10 which includes a random data generator 
30 for generating random or pseudo-random data 32 from an original file 31 of 
random date, encryption means 40 for encrypting an original executable file into 
10 at least one encrypted program section 45 (SPECIFIC.XEN) and, optionally, one 
or more further program sections 46 (SPECIFIC.XEX), an installation program 
compiler 50 for compiling an installation program 51 (INSTALL JEXE), an 
execution program compiler 60 for compiling an execution program 61 
(EXECUTE.EXE), and a distribution program compiler 80 for compiling a 
15 distribution program 81 (MEDIA.EXE). The further program section or program 
sections 46 (SPECIFIC.XEX) may be unencrypted, or they may be partially or 
wholly encrypted depending upon the level of security required. For the sake of 
convenience, the following description will refer to encrypted program sections 46 
(SPECIFIC.XEX). 

20 As shown more particularly in Figure 5, the encryption means 40 includes 

an assembly level encryption compiler 42 provided with a source text 41 of an 
encrypt program and which uses random or pseudo-random data 32 from the 
random data generator 30 and configuration data from a configuration data file 22 
to compile an encryption program 44 (ENCRYPT.EXE). 

25 The configuration data file 22 used by the encryption compiler 42 to 

generate the encryption program 44 includes information preferably prepared in 
advance and relating specifically to the original file of binary data to be protected, 
to the source media to be used for the distribution of the programs and to a target 
computer environment in which the programs 61 (EXECUTE.EXE), 51 

30 (INSTALL.EXE) and, optionally, 46 (SPECIFIC.XEX) are intended to be installed. 
For instance, the configuration data may include the full path to the source program 
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or library to be protected, the source path, the target path, an alias format, a 
selection table of environment factors to be checked on the distribution source and 
target computer environment and a strategy table for the processing input files of 
various sizes. The strategy table can determine whether or not it is necessary to 
generate the further encrypted program sections 46 (SPECIFIC. XEX). 

As shown in Figure 6, the encryption program 44 is arranged to encrypt the 
original executable program 12 into the first encrypted program section 45 
(SPECIFIC.XEN) and, when required, further partly or wholly encrypted program 
section or sections 46 (SPECIFIC.XEX) which may be stored in files 48. The 
encryption program may operate directly upon the original executable program 12 
to convert the encrypted program sections 46 (SPECIFIC.XEX) to binary format 
which may then be stored in files 48. Alternatively, the manufacturing computer 
10 may include a data converter for converting the encrypted program sections 46 
(SPECIFIC.XEX) to binary text format. The encryption program compiler 42 is 
15 able to update the configuration data file 22 with, for example, check total or 
sample encrypted code values for the files it has encrypted. 

The encryption compiler 42 can make use of random data 32, or pseudo- 
random data 34 converted to text format generated in advance by the random data 
generator 30. As shown in Figures 3 and 4, the random data generator 30 may 
20 generate pseudo-random data 34 from a file of random data 31 and the pseudo- 
random data may be stored in one or more files 36 or 18, possibly after passing at 
least some of the data through a data filter 38, before it is input to the encryption 
compiler 42. A data converter 20 may be used to convert the files 36 of binary 
data to files 1 8 of random or pseudo-random data in text format. 
25 Referring to Figure 4A and Figure 6, the first encrypted program section 45 

(SPECIFIC.XEN) produced by the encryption program 44 may be processed by a 
data conversion program 20A (CONVSPEC.EXE) (similar to the data converter 20) 
to produce a binary image 18A (SPECIFIC.RTN) in text format, which may be 
stored in a file 47 before being used as input to the execution program compiler 60 
(Fig. 5). If the strategy table in the configuration data file 22 determines that 
further encrypted program sections 46 will be required, they may also be processed 



30 
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by a data converter (not shown) similar to that of Figure 4A to produce enciypted 
program sections of binary data which can be stored in files 48 for subsequent 
distribution to a user, for instance by distribution media 70, such as an installation 
disk or by transmission media. 
5 Referring to Figure 5 of the drawings, the execution program compiler 60 

may also comprise an assembly level compiler provided with a source text 62 for 
the execute program, and having as input at least the first encrypted binary program 
section 18A (SPECIFIC.RTN) in text format, configuration data from file 22 and 
random (or pseudo-random) data 32 in text format. The configuration data 22 
10 provided as input to the execution program compiler 60 may include path and alias 
or "skeleton" names which can be used when the program is executed in the target 
environment. The execution program compiler 60 preferably provides that 
successful execution of the execution program 61 (EXECUTE.EXE) is dependent 
on strict compliance therewith. By the use of coiafiguration data 22, the 
15 manufacturing computer 10 is thus able to create an execution program 61 which 
is unique to the particular application for the original executable file making use of 
information created by the encryption program 44 (ENCRYPT.EXE). The 
execution program 61 is then used as input to the installation program compiler 50 
after being converted into text format 1 8B (SPECIFIC.RTX) by a data conversion 
20 program 20B (CONVEXEQ.EXE). 

Referring also to Figure 5, the installation program compiler 50 may 
comprise an assembly level compiler provided with a source text 52 for the install 
program, and having as inputs the converted execution program in text format 18B. 
configuration data from file 22, and random (or pseudo-random) data in text format 
25 32. The configuration data 22 which is input to the installation program compiler 
50 may include an environment factor selection table that can determine which 
properties of the target environment have to be checked for propagation protection. 
Alternatively, the table may indicate that external proprietary routines are to be 
executed and results returned. 
30 The configuration data file 22 is also adapted to receive information from 

the encryption program compiler 42, the execution program compiler 60 and the 
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installation program compiler 50. Thus, the file 22 of configuration data can be 
updated by the encryption program compiler 42 with data about the encryption 
program when the encryption program has been compiled, the updated configuration 
data being used by the execution program compiler 60 to compile the execution 
5 program 61. Similarly, the execution program compiler 60 can update the 
configuration data file 22 with data about the execution program 61 which can then 
be used by the installation program compiler 50 in compiling the installation 
program 51. Likewise, the configuration data file 22 can be updated by the 
installation program compiler 50 with information about the installation program 
10 51 which can be used by the distribution program compiler 80 in compiling the 
distribution program 81 (MEDIA.EXE) 

Referring to Figure 5 the distribution program compiler 80 may comprise an 
assembly level compiler provided with a source text 82 for the distribution program 
(MEDIA.EXE), and having as inputs configuration data from file 22, and random 
15 (or pseudo-random) data 32. The distribution program, compiled last in the 
sequence of compilations with configuration data 22 as input is thereby provided 
with additional information useful to decide on alternative courses of action for 
distributing the software from the source to the target environment. 

The data conversion programs 20A CONVSPEC.EXE and 20B 
20 CONVEXEQ.EXE may involve an element of data conversion or encryption in 
addition to their function to produce binary data in text format suitable to be read 
by a computer compiler. 

The source code for the compiler programs which make use of the 
configuration data may direct that only selected parts of the configuration data will 
25 be embodied in the output compilation, and conversely may direct that selected 
parts of the configuration data may be updated as a result of the compilation. 

The strategy table in the configuration data file 22 is somewhat similar to an 
object in computer terminology in that it contains both addresses of functions and 
data. The data which may be returned into the strategy table in the process of 
30 compilation may be information such as computed check sums or parts of 
encryption keys to be passed on to subsequent compilations in the sequence. 
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Encryption keys can thus be incremental, originating say from media identification, 
program serial identification and feedback information introduced into the 
configuration data during earlier compilations. The distribution program 82 
(MEDIA.EXE) being the last in the compilation sequence can be aware of and 
5 make use of all that precedes it. 

The encrypted software consisting of the installation program 51 
(INSTALL.EXE), the distribution program 81 (MEDIA.EXE) and the file or files 
46 of encrypted program sections (SPECIFIC.XEX) may be transferred to an 
installation disk 70 or other file storage means for supply to a distributor or user. 
10 The encryption program (ENCRYPT.EXE) remains with the manufacturer and is 
not intended to be distributed to the user. 

The encrypted software on the distribution media 70 can be installed and 
used in a target environment of an installing agent or user by following the 
procedures illustrated with reference to Figures 2, 7 and 8. The distribution 
5 program 81 (MEDIA.EXE), is run to transfer the installation program 51 
(INSTALL.EXE) and the file or files 48 (if present) of encrypted program sections 
(SPECIFIC.XEX) from the distribution media 70 to the target environment. The 
program 81 (MEDIA.EXE) may convert or revise the installation program 51 
(INSTALL.EXE) to make it dependent on features of the target environment for 
successful subsequent operation. 

In accordance with one installation procedure, the program 81 
(MEDIA.EXE) can read the distribution media 70, copy or transfer the relevant 
files to the target environment, run the install program 51 (INSTALL.EXE) leaving 
a modified execution program 71 (EXECUTE.EXE) in the target environment. The 
end user can then run the modified execution program 71 (EXECUTE.EXE) to 
reconstruct an image 74 of the original executable program and run the application. 

In another installation procedure, for additional protection the modified 
installation program 51 (INSTALL.EXE) may itself be encrypted by these disclosed 
methods or by external means. The resultant encrypted version 151 of the install 
program may be copied to a master disk which may, for example be distributed to 
an installer. When the installer decrypts the installation routine to the target 
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environment the distribution program 81 (MEDIA.EXE) can sense that the correct 
version of the installation program is present in the environment and proceed with 
the installation. 

In this manner, the manufacturer of the encrypted software can control the 
5 distribution of the software, and propagation of the encrypted software is 
substantially reduced. 

In accordance with another advantageous feature of the invention, further 
protection may also be provided by arranging one or more of the installation 
program 51 (INSTALL.EXE), the modified execution program 71 and the 
10 distribution program 81 (MEDIA.EXE) to be self-destroying, run once programs, 
as illustrated in Figures 2 and 7. For example, while the installation program 51 
(INSTALL.EXE) is run in the target environment it may be arranged to destroy 
itself while modifying the execution program 61 (EXECUTE.EXE) to produce the 
modified execution program 71. Subsequent copying of the installation program 
15 51 (INSTALL.EXE), which is required to enable the execution program to decrypt 
and restore the original program sections and rebuild the original executable 
program, is therefore prevented. 

Referring more specifically to Figure 8, the modified execution program 71 
(EXECUTE.EXE) includes first decryption means 72 to, decrypt and restore a first 
20 section of the original executable program internally within itself, second decryption 
means 73 to decrypt and restore other sections of the original program externally, 
and reconstruction means 74 to concatenate the decrypted sections and rebuild the 
image of the original executable program. 

In accordance with a further advantageous feature of the invention, the 
25 execution program (EXECUTE.EXE) includes alias assignment means 75 for 
loading and executing the restored image of the original executable under an alias 
name. The alias program may be arranged to be self destructive when run once, 
or the execution program (EXECUTE.EXE) may include means 78 arranged to 
destroy the alias program when run. The names and extensions given to files of all 
30 kinds in these descriptions are for illustrative purposes only, the configuration file 
22 determines the actual names which will be used for each particular application. 
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The ability to use such covert alias names provides further protection from targeted 
viruses. Executable programs such as those designated with a suffix .EXE are often 
supported by other routines which they depend upon for their operation. References 
to such executable programs should be taken to include such supporting routines 
5 and their data. 

The execution program (EXECUTE.EXE) may also include means 76 for 
destroying program sections and input data, and reconstruction means 77 capable 
of rebuilding and reinstating destroyed sections. The execution program may have 
the ability to recognise a different course of action for dynamic link library files. 
1 0 The execution program can support parameters when run in the target environment. 
These may be passed to the alias program which the execution program executes 
under its control. 

The installation program (INSTALL.EXE) and the execution program 
(EXECUTE.EXE) are preferably constructed such that they run through to 

15 completion whether or not they produce useful output. They are preferably 
arranged such that no error messages, which may be helpful in revealing the 
programs are generated. The encryption program 44 (ENCRYPT.EXE) is 
preferably arranged to encrypt the program sections of the original executable 
program such that there are no vacant buffer areas or sequences of identical data 

20 in the unencrypted source files for INSTALL.EXE and EXECUTE.EXE, these 
being filled with random or pseudo-random data generated by the random data 
generator 10, 30. Encryption of the sections of programs may be overlapping, and 
to more then one level of depth. 

Whilst no encryption system can be said to be completely secure from 

25 decryption and copying, the present invention provides a method of and apparatus 
for manufacturing encrypted software in which protection of an original executable 
program from copying is substantially increased and in which the encrypted 
software has increased protection from viruses and intruders. Furthermore whilst 
the protection system may appear complex, this occurs in the manufacturing process 
30 which can readily be automated and in practise the user will be unaware that the 
original application software is protected. Dependant on the level of protection 

BNSDOCID: <WO 9618951 A1_l_> 



WO 96/18951 



PCT/AU95/00836 



14 

required, not all steps of the manufacturing sequence may be required during a 
production run. 

It will be appreciated that various modifications and alterations to the system 
described above with reference to Figures 1 to 8 of the drawings may be made 
without departing from the scope or spirit of the invention. For instance, a 
common assembly level compiler in the manufacturing computer may be used to 
compile the encryption program (ENCRYPT.EXE), the installation program 
(INSTALL.EXE) and the execution program (EXECUTE.EXE). Also, instead of 
being incorporated wholly within the installation program 51, the execution 
program 61 may be transferred to the target environment separately from the 
installation program 5 1 as illustrated in the modified embodiment of Figures 9 and 
10. 

Figures 9 and 10 are similar to Figures 1 and 2 respectively and 
corresponding reference numerals have been applied to corresponding parts. Figure 
10 differs from Figure 1 in that the execution file 61 is not used as input to the 
installation program compiler 50, and Figure 10 differs from Figure 2 in that when 
the installation program 5 1 and the execution program 6 1 are installed in the target 
environment the installation program 51 (INSTALL.EXE) is arranged to read the 
execution program 61 (EXECUTE.EXE) and interact with it to produce the 
modified execution program 71. 
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Claims: 

1 . A method of protecting a computer program from copying comprising 
the steps of: 

encrypting an original executable program to produce an encrypted version 
5 of said original executable program; 

compiling an execution program for producing a decrypted image of the 
original executable program from said encrypted version of the original executable 
program; 

providing installation means for installing the execution program and said 
10 encrypted version of the original executable program into a target environment, 
wherein the execution program includes at least one section of said encrypted 
version of the original executable program and the decrypted image of the original 
executable program can only be run in a target environment which has been 
installed with said execution program by said installation means. 
15 2. A method according to claim 1 wherein the execution program 

includes an entire encrypted version of the original executable program. 

3. A method according to claim 1 wherein the execution program 
includes only an encrypted section of the original executable program, and 
remaining sections of the original executable program are distributed to a user. 
20 4. A method according to claim 3 wherein the remaining program 

sections are partially or wholly encrypted. 

5. A method according to any one of the preceding claims wherein the 
installation means includes an installation program which interacts with or 
incorporates part or all of the execution program whereby the installation program 

25 is arranged to create a modified execution program capable of reconstructing an 
image of the original executable file from the encrypted program section or 
sections. 

6. A method according to claim 5 wherein the installation program is 
arranged to be self-destructive or to be destroyed while it is run once to create the 

30 modified execution program. 

7. A method according to any one of the preceding claims wherein at 
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least one section of the encrypted original executable program is arranged to be 
self-destructive or to be destroyed or modified by the execution program while it 
is run in the target computer environment. 

8. A method according to any one of the preceding claims wherein the 
installation means includes a distribution program configured to install the 
installation program and execution program in a target computer environment. 

9. A method according to claim 8 wherein the execution program, the 
installation program and/or the distribution program may include configuration data 
relating to the target environment in which the execution program is to be run 
and/or relating to the source environment used to distribute the programs to users. 

10. A method according to any one of the preceding claims further 
comprising the step of using random or pseudo-random data to encrypt the original 
executable program. 

11. A method according to claim 5 or claim 6 wherein random or pseudo- 
random data is used in the production of the installation program. 

12. A method according to claim 8 or claim 9 wherein random or pseudo 
random data is used in the production of the distribution program. 

13. A method according to any one of the preceding claims wherein the 
execution program is arranged to execute the decrypted image of the original 
program under an alias name. 

14. A method according to claim 13 wherein the reconstructed original 
executable program under the alias name is arranged to be destroyed by the 
execution program or is self-destructive providing security against the decrypted 
image of the original program and its execution program being copied and used in 
another computer environment. 

15. A method according to any one of the preceding claims wherein the 
execution program is arranged to rebuild the original executable program by 
decrypting and re-assembling encrypted program sections of the original executable 
program. 

16. A method according to claim 15 wherein the execution program is 
arranged to modify, save or temporarily destroy at least one of said encrypted 
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program sections, for subsequent reinstatement, when processing the encrypted 
program sections. 

17. Apparatus for manufacturing encrypted software comprising: 
encryption means to encrypt an original executable program to produce an 
5 encrypted version of the original executable program; execution program 
compilation means to compile an execution program for decrypting said encrypted 
version of the original executable program; installation program compilation means 
to compile an installation program for installing the execution program and said 
encrypted version of the original executable program in a target computer 
10 environment; wherein the installation program is arranged to interact with the 
execution program in such a manner that the execution program is not able to 
decrypt said encrypted version of the original executable program to produce a 
useful decrypted image of the original program unless the installation program has 
been run in the target computer environment. 
15 18. Apparatus according to claim 17 comprising a computer including 

encryption compilation means to produce an encryption program for encrypting data 
from the original program to produce a plurality of encrypted program sections. 

19. Apparatus according to claim 18 wherein at least one of said 
encrypted program sections is input to the execution program compilation means 

20 to be included in the execution program. 

20. Apparatus according to any one of claims 17 to 19 wherein the entire 
encrypted version of the original executable program is input to the execution 
program compilation means for inclusion in the execution program. 

21. Apparatus according to claim 17 wherein at least one encrypted 
25 program section is stored in a file of program sections instead of being input to the 

execution program compilation means. 

22. Apparatus according to any one of claims 17 to 21 further comprising 
a random data generator for generating random or pseudo-random data. 

23. Apparatus according to claim 22 wherein the encryption program 
30 compilation means uses random or pseudo-random data produced by said random 

data generator to encrypt the original executable program. 
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24. Apparatus according to claim 22 or claim 23 wherein the installation 
program compilation means uses random data or pseudo-random data produced by 
said random data generator when producing the installation program. 

25. Apparatus according to any one of claims 22 to 24 wherein the 
5 execution program compiler uses random or pseudo-random data produced by said 

random data generator when producing the execution program. 

26. Apparatus according to any one of claims 1 7 to 25 further comprising 
data storage means including a configuration data file relating to one or more of the 
following: the specific media source used to distribute the software; the target 

1 0 computer environment in which the section or sections of the encrypted executable 
program are to be installed; and/or the particular application of the original 
executable program. 

27. Apparatus according to claim 26 wherein the encryption program 
compilation means uses configuration data from said configuration data file when 

15 encrypting said original executable program. 

28. Apparatus according to claim 26 or claim 27 wherein the installation 
program compilation means uses configuration data from said configuration data 
file when producing the installation program. 

29. Apparatus according to any one of claims 26 to 28 wherein the 
20 execution program compilation means uses configuration data from said 

configuration data file when producing the execution program. 

30. Apparatus according to claim 27 wherein the encryption program 
compilation means is adapted to update the configuration data when it produces said 
at least one encrypted program section. 

25 31. Apparatus according to claim 29 wherein the executed program 

compilation means is adapted to update the configuration data when it compiles the 

execution program. 

32. Apparatus according to any one of claims 1 7 to 3 1 wherein the output 

of the execution program compilation means is used as input to the installation 
30 program compilation means so that the execution program or an encrypted version 

thereof can be incorporated within the installation program. 
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33. Apparatus according to any one of claims 17 to 32 further comprising 
distribution program compilation means to compile a distribution program for 
installing the installation program and execution program in the target computer 
environment. 

5 34. Apparatus according to claim 33 as appended to any one of claims 26 

to 3 1 wherein the distribution program compilation means uses configuration data 
from said configuration data file in order to create a distribution file which is 
unique to the particular application of the original executable program. 

35. A self-destructive installation program adapted to interact with an 
10 execution program to enable the execution program to read at least one encrypted 

program section of an original executable program to produce a decrypted image 
of the original program for utilisation in a target computer environment, wherein 
the installation program is arranged to destroy itself while it is run once. 

36. An execution program for decrypting encrypted program sections of 
15 an original executable program wherein the execution program is arranged to 

execute the decrypted image of the original executable program under an alias 
name. 
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